Skip Navigation LinksStatement-of-CDPH-HIPAA-Covered-Entity-Status

privacy office

Statement of CDPH HIPAA Covered Entity Status


The California Department of Public Health (CDPH) has determined that it is a "hybrid entity" for purposes of application of the standards in the federal regulations entitled "Standards for Privacy of Individually Identifiable Health Information" ("Privacy Rule") (45 C.F.R. Parts 160, 162, and 164) promulgated pursuant to the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191, 110 Stat. 1936 (1996), codified as 42 U.S.C. §§ 1320d - 1320d-8). As a hybrid entity under HIPAA, CDPH must (among other things) designate its "health care component". (45 C.F.R. § 164.504(c)(3)(iii).). This Statement is to apprise the public of the hybrid entity determination, and to identify the specific programs that CDPH has designated as covered health care components.

As a hybrid entity under HIPAA, CDPH as a whole is considered a covered entity whose business activities include both HIPAA covered and non-covered functions. In compliance with 45 C.F.R. section 164.504(c)(3)(iii), CDPH has designated the programs set forth in the document at the link below as covered health care components within the hybrid entity: All other CDPH programs have been determined by CDPH to be non-HIPAA-covered components of the Department.

This determination was made after a thorough legal and programmatic analysis of the many and varied programs operated by CDPH. CDPH included in its covered health care components those programs that would meet the definition of a covered entity if each was a separate legal entity. This list could change in the future if certain business practices change in the listed programs or if new programs are created within CDPH or terminated.

HIPAA Covered Healthcare Components

Page Last Updated :